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' We give a general method for proving quantum lower bounds for problems with small range. 

Namely, we show that, for any symmetric problem defined on functions / : {l,...,Af} — > 
{1, . . . , M}, its polynomial degree is the same for all M > N. Therefore, if we have a quantum 
query lower bound for some (possibly, quite large) range M which is shown using the polynomials 
^T} ' method, we immediately get the same lower bound for all ranges M > N. In particular, we get 

{^(N 1 / 3 ) and 0(iV 2 / 3 ) quantum lower bounds for collision and element distinctness with small 
range. As a corollary, we obtain a better lower bound on the polynomial degree of the two-level 
AND-OR tree. 



in 

cn ■ 1 Introduction 

p . 

Quantum computing provides speedups for many search problems. The most famous example is 
Qh! Grover's algorithm [14], which computes OR of N variables with 0(y/~N) queries. Other examples 

include counting [10], estimating mean and median [15, 19], finding collisions [9], determining 
element distinctness [8, 5], finding triangles in a graph [18] and verifying matrix products [11]. For 
many of these problems, we can also prove that known quantum algorithms are optimal or nearly 
optimal. 

In at least two cases, the lower bounds match the best known algorithm only with an additional 
"large range" assumption. For example, consider the collision problem [9, 2] which models collision- 
free hash functions. We have to distinguish if a function / : {1, . . . , N} — ► {1, . . . , M} is one-to-one 
or two-to-one. A quantum algorithm can solve the problem with 0(N 1 ^ 3 ) queries (evaluations of 
/) [9], which is better than the 6(iV 1 / 2 ) queries required classically. A lower bound by Aaronson 
and Shi [2] says that ri(A r1 / 3 ) quantum queries are required if M > 3N/2. If M = N, the lower 
bound becomes ^(A^ 1 / 4 ). 

A similar problem exists for element distinctness. (Again, we are given / : {l,...,iV} — ► 
{1, . . . , M} but / can be arbitrary and we have to determine if there are i ^ j, f(i) = f(j)-) If 
M = 0,(N 2 ), the lower bound is tt(N 2 / 3 ) [2], which matches the best algorithm [5]. But, if M = N, 
the lower bound is only Q(\/iV) or 0(i//VTog N), depending on the model [8, 16]. 

Thus, it might be possible that a quantum algorithm could use the small M to decrease the 
number of queries. While unlikely, this cannot be ruled out. Remember that classically, sorting 
requires f2(Anog 2 N) steps in the general case but only 0(N) steps if the items to be sorted are all 
from the set {1,...,N} (Bucket Sort, [13]). 
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In this paper, we show that the collision and element distinctness problems require f2(A 2 / 3 ) 
and ^(A 1 / 3 ) queries even if the range M is equal to N. Our result follows from a general result on 
the polynomial degree of Boolean functions. 

We show that, for any symmetric property (ft of functions / : {1, 2, . . . , A} — > {1, 2, . . . , M}, its 
polynomial degree is the same for all M > N. The polynomial degree of (ft provides a lower bound 
for both classical and quantum query complexity (This was first shown by Nisan and Szegedy 
[20] in the classical case and then extended to the quantum case by Beals et al. [6] for M = 2 
and Aaronson [1, 2] for M > 2.) Thus, one can prove lower bounds on quantum query complexity 
of a function (ft by lower-bounding the polynomial degree of (ft. This is known as the polynomials 
method for proving quantum lower bounds [6, 12, 2]. 

Our result means that, if we have a quantum lower bound for a symmetric property (ft shown 
by the polynomials method for some range size M, we also have the same quantum lower bound 
for all M > N. As particular cases, we get lower bounds on the collision and element distinctness 
problems with small range. Since many quantum lower bounds are shown using the polynomial 
degree method, our result may have other applications. 

A corollary of our lower bound on element distinctness with small range is that the polynomial 
degree of the two level AND-OR tree on A 2 variables is f2(A 2 / 3 ). This improves over the previously 
known lower bound of Q(^N log A) by Shi [22]. 

Related work. The ^(A 1 / 3 ) lower bound for the collision problem with small range was 
independently discovered by the author of this paper and Kutin [17], at about the same time, with 
completely different proofs. Kutin [17] takes the proof of f^A 1 / 3 ) lower bound for the collision 
problem with a large range [2] and changes it so that it works for all M > A. Our result is 
more general because it applies to any symmetric property and any lower bound shown by the 
polynomials method. On the other hand, Rutin's proof has the advantage that it also simplifies 
the lower bound for the collision problem with large range by Aaronson and Shi [2]. 

2 Preliminaries 

2.1 Quantum query model 

Let [k] denote the set {1, . . . , k}. Let / be a function from [A] to [M\. Let J-(N, M) be the set of 
all / : [A] — > [M]. We are given a function / G T{N,M) by an oracle that answers queries. In one 
query, we can give i to the oracle and it returns f(i) to us. 

We would like to know whether / has a certain property (for example, whether / is one-to-one). 
More formally, we would like to compute a partial function <ft : T 1 — > {0, 1}, where T 1 C J-(N, M). 
In particular, we are interested in the following two properties: 

Problem 1: Collision. (ft{f) = 1 if the input function / is one-to-one. (ft{f) = if / is 
two-to-one (i.e., if, for every k 6 [M], there are either zero or two x G [A] satisfying f(x) = k). 
</>(/) is undefined for all other /. 

Problem 2: Element distinctness. <ft(f) = 1 if the input function / is one-to-one. (ft{f) = 
if there exist i,j, i / j, f(i) = f(j). 

A quantum algorithm with T queries is just a sequence of unitary transformations 

U ^ O f -► L/i O f -► ► U T ^ -+Of -► U T . 

The Uj's can be arbitrary unitary transformations that do not depend on /(l), . . . , /(A). O is a 
query (oracle) transformation. To define Of, we represent basis states as \i,b,z) where i consists 
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of [log N] bits, b is [logM] bits and z consists of all other bits. Then, Of maps \i,b, z) to 
\i,(b + f(i)) mod M,z). 

The computation starts with a state |0). Then, we apply Uq, Of, Of, and measure 
the final state. The result of the computation is the rightmost bit of the state obtained by the 
measurement. 

The quantum algorithm computes (j) with error e if, for every / such that (j){f) is defined, the 
probability that the rightmost bit of UtO fUr-i • • • OfUo\0) equals 4>{f) is at least 1 — e. (Through- 
out this paper, e is an arbitrary but fixed value, with < e < 1/2.) 

2.2 Polynomial lower bound 

We can describe a function / : [N] — > [M] by N x M Boolean variables y^ which are 1 if f(i) = j 
and otherwise. Let y = (yn, ■ ■ ■ , Vnm)- 

Definition 1 We say that a polynomial P e- approximates the property (f> if 

1. 4>{f) = 1 implies 1 — e < P(y) < 1 for y = (yn, . . . , 2/atjw) corresponding to f; 

2. 4>(f) = implies < P(y) < e for y = (yn, . . . , yNu) corresponding to f ; 

3. If 4>{f) is undefined, then < P(y) < 1 for the corresponding y. 

A polynomial P approximates f if it e- approximates f for some fixed e < 1/2 

P is allowed to take any value if y does not correspond to any /. (This happens if for some 
i G [N] there is no or there is more than one j 6 [M] with yij = 1.) 

Lemma 1 [1, 2] If a quantum algorithm computes <p with error e using T queries then there is a 
polynomial P(yn, ■ ■ ■ ,Unm) of degree at most 2T that e- approximates 4>. 

A lower bound on the number of queries can be then shown by proving that such a polynomial 
P does not exist. For the collision and element distinctness problems, we have 

Theorem 1 [21, 2} 1 

1. If a polynomial P approximates the collision property for M > ^j-, the degree of P is f^iV 1 / 3 ); 

2. If a polynomial P approximates the element distinctness property for M = Q(N 2 ), the degree 
ofP is fl{N 2 / 3 ); 

Therefore, ^(iV 1 / 3 ) and 0(iV 2 / 3 ) queries are required to solve the collision problem and element 
distinctness problem if the range M is sufficiently large. Previously, only weaker lower bounds of 
ft(iV 1/4 ) [2] and Q(^/N\^gN) [16] were known if M = N. 

1 More precisely, Shi [21, 2] proved that any polynomial approximating another problem, the half two-to-one 
problem, has degree 0(A rl/ ' 3 ). He then used that to deduce that Q(N 1 ^ 3 ) and ^1(N 2 ^ 3 ) quantum queries are needed 
for the collision problem (when M > ™) and the element distinctness problem (when M = Q(N 2 )). His proof 
can be easily modified to show a lower bound on the degree of polynomials approximating the collision and element 
distinctness problems. 
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3 Results 



We call a property <j> symmetric if, for any tt G Sn and a G Sm, 

<Kf)=<K*fn). 

That is, <£(/) should remain the same if we permute the input set {1, . . . , N} before applying / 
or permute the output set {1,...,M} after applying /. The collision and element distinctness 
properties are both symmetric. 
Our main result is 

Theorem 2 Let (f> : T' — ► {0,1}, T' C T(N,M) be symmetric. Let (/>' be the restriction of <fi to 
f : [N] — ► [A]. T/ien, the minimum degree of a polynomial (in y-ij, i G [N], j G [M]^ approximating 
<p is equal to the minimum degree of a polynomial (in y-ij, i G [N], j G [N]) approximating <fi' . 

Theorems 1 and 2 imply that fJ(A 1//3 ) and f2(A 2 / 3 ) queries are needed to solve the collision 
and element distinctness problems, even if M = A. (For M < A, these problems do not make 
sense because they both involve / being one-to-one as one of the cases.) 

The proof of Theorem 2 is in two steps. 

1. We describe a different way to describe an input function / by variables z±, . . ., zm instead 
of yii, . . . , yNM- We prove that a polynomial of degree k in z±, . . ., zm exists if and only if a 
polynomial of degree k in yu, . . ., yNM exists. 

2. We show that a polynomial Q(z±, . . . , zm) for M > N exists if and only Q(z\, . . . , zn) exists. 

The first step can be useful on its own. The representation of / by yu, . . ., yNM gave the lower 
bounds of [2]. The new representation by z±, . . ., zn might yield new lower bounds that are easier 
to prove using this approach. 

3.1 New polynomial representation 

We introduce variables z\, . . ., zm, with Zj = (equivalently, Zj = \{i : yij = 1}|). We say 

that a polynomial Q in z\, . . . , zm approximates (j) if it satisfies requirements similar to Definition 
1. (Q G [1 - e, 1] if (f)(f) = 1, Q G [0, e] if </>(/) = 0, and Q G [0, 1] if z±,...,zm correspond to 
/ G J~(N, M) for which <j>(f) is not defined.) 

Example 1: A polynomial Q(zi, . . . , zm) approximates the collision property if: 

1. Q(z\, . . . , zm) G [1 — e, 1] if N of the variables z±, . . ., zm are 1 and the remaining M — N 
variables are 0; 

2. Q(z\, . . . , zm) G [0, e] if y of the variables z\, . . ., zm are 2 and the remaining M— y variables 
are 0; 

3. Q(zi, . . . , zm) G [0, 1] if zi, . . . , zm are non-negative integers and Z\ + ■ ■ ■ + zm = N. 

Example 2: A polynomial Q(z\, . . . , zm) approximates element distinctness if: 

1. Q(z\, . . . , zm) G [1 — e, 1] if of the variables zi, . . ., zm are 1 and the remaining M — N 
variables are 0; 
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2. Q(zi, . . . , zm) £ [0, e] if zi, . . . , zm are non-negative integers, z\ + ■ ■ ■ + zm = N, and Z{ > 1 
for some i. 

In both cases, there is no restriction on Q(z±, . . . , zm) when z\ + • • • + zm / A~ because such 
zi, . . ., zm do not correspond to any / : [N] — ► [M]. 

Lemma 2 Lei (ft : J 7 ' ^ {0, 1}, J 7 ' C F{N,M) be symmetric. Then, the following two statements 
are equivalent: 

(1) There exists a polynomial Q of degree at most k in Z\ , . . . , zm approximating <f>; 

(2) There exists a polynomial P of degree at most k in yn, . . ., yNM approximating 4>. 

Proof: To see that (1) implies (2), we substitute Zj = y±j + yij + ■ ■ ■ + yNj into Q and obtain a 
polynomial in y^ with the same approximation properties. Next, we show that (2) implies (1). 

Let P(yn, ■ ■ ■ , Vnm) be a polynomial approximating <p. We define Q(z±, . . . , zm) as follows. Let 
S be the set of all y = (yn, . . . , yNM) corresponding to functions / : [N] — > [M] with the property 
that, for every i £ [M] the number of j with f(j) = i is exactly Zj. We define Q(zi, ■ ■ ■ , zm) as the 
expectation of of P(yu, • • • , yNM) when y = (yn, . . . , yNM) is picked uniformly at random from S. 
(An equivalent way to define Q is to fix one function / with this property and to define Q as the 
expectation of of P(yu, • • • , yNM), for y = (yn, . . . , yNM) corresponding to the function fir, with 
7T being a random element of Sn-) 

Since is symmetric, we have <fi(f) = (f)(fir). Therefore, if P(yu, ■ ■ ■ ,Vnm) approximates (j), 
then Q(zi, . . . , zm) also approximates (f>. 

It remains to prove that Q is a polynomial of degree at most k in z\, . . . , zm. Let 

I = Vixhyiih ' ' ' Vikjk 

be a monomial of P. It suffices to prove that each E[I] is a polynomial of degree at most k because 
E[P] is the sum of E[I] over all /. 

We can assume that i\ for I £ {l,...,fe} are all distinct. (If the monomial / contains two 
variables y^ with the same i, j, one of them is redundant because yfj = yij. If / contains y^, y^/, 
j 7^ j', then yijyif = because /(z) cannot be equal j and j' at the same time. Then, / = 0.) We 
have 

k 

E[I] = Pr[y ilh = 1] ]J Pr [Vim = MViih ■ ■ ■ Vk-di-i = !]■ 

There are variables y^j . Out of them, variables are equal to 1 and each y^ is equally likely 
to be 1. Therefore, 

Prbnn = M = f 
Furthermore, let be the number of I' < I such that ji = jr. Then, 

Pr \Viih = l \Vhh ■ ■ ■ Vii-di-i = !] = tfLi-i 

because, once we have set y% x j x = 1, . . ., yi l _ 1 j l _ 1 = 1, we have also set all other y^j, . . ., yi t _ x j to 0. 
Then, we have N — I — 1 variables y^ which are not set yet and, out of them, Zj t — si must be 1. 

Therefore, E[I] is a product of k terms, each of which is a linear function of zi, . . . , zm- This 
means that E[I\ is a polynomial in z±, . . . , zm of degree fc. This completes the proof of the lemma. 
□ 
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3.2 Lower bound for properties with small range 

We now finish the proof of Theorem 2. Obviously, the minimum degree of a polynomial approxi- 
mating <fi' is at most the minimum degree of a polynomial approximating <j> (because we can take a 
polynomial approximating (f> and obtain a polynomial approximating <j>' by restricting it to variables 
Uij, j £ [N]). In the other direction, we can take a polynomial P' approximating <p' and obtain a 
polynomial Q' in z±, . . . , zn approximating cp' by Lemma 2. We then construct a polynomial Q in 
zi, . . . , zm of the same degree approximating <p>. After that, using Lemma 2 in the other direction 
gives us a polynomial P in yu, . . . , i/nm approximating <f>. 

It remains to construct Q from Q'. For that, we can assume that Q' is symmetric w.r.t. 
permuting zi, . . . , zjv- (Otherwise, replace Q' by the expectation of Q'(z n ^, . . . , z w rm), where ir is 
a uniformly random permutation of {1,2,..., N}.) Since Q' is symmetric, it is a sum of elementary 
symmetric polynomials 

O' = V z ci z c ' 2 ■ ■ ■ z Ct 
h,...,i t e[N] 

Let Q be the sum of elementary symmetric polynomials in z±, . . . , zm with the same coefficients. 

We claim that Q approximates (p. To see this, consider an input function / : [N] — > [M]. There 
are at most iV values j £ {1, . . . ,M} such that there exists i £ {1, . . . ,N} with f(i) = j. This 
means that, out of M variables z±, . . . , zm corresponding to /, at most iV are nonzero. 

Consider a permutation tt £ Sm that maps all i £ [M] with z,- L / to {1, . . . , iV}. Let /' = nf. 
Since (p is symmetric, </>(/) = 4>{f')- Since /' is a function from [N] to [A/"], Q' correctly approximates 
(j) on /'. Since Q(z±, . . . , zat, 0, . . . , 0) = Q'(zi, . . . , ^at), Q also correctly approximates ^ on /'. Since 
Q is symmetric w.r.t. permutations of z\, . . . , zm, <3 approximates (/> on the input function / as 
well. This completes the proof of Theorem 2. 

3.3 Lower bound on the polynomial degree of the AND— OR tree 

As a by-product, our result provides a better lower bound on the polynomial degree of a well-studied 
Boolean function. 

This Boolean function is the two level AND-OR tree on A^ 2 variables. Let x\, . . . , x N 2 £ {0, 1} 
be the variables. We split them into N groups, with the i th group consisting of X( i _ 1 )Ar +1 , x^ i _ 1 ^ N+2 , 
. . ., XiN- The AND-OR function g(x\, . . . , x^) is defined as 

n iN 

g{x!,...,x N 2) = f\ \J xj. 

i=lj=(i-l)N+l 

A polynomial p(x±, . . . , x^) approximates g if < p(x±, . . . , x^) < e whenever g(x±, . . . , x^) = 
and 1 — e < p(xi, . . . , x N 2) < 1 whenever g{x\, . . . , x N 2) = 1 (similarly to Definition 1). 

It has been an open problem to determine the minimum degree of a polynomial approximating 
the two-level AND-OR tree. The best lower bound is f^V^logAO by Shi [22], while the best 
upper bound is O(N). (Curiously, the quantum query complexity of this problem is known. It is 
@(N), as shown by [7, 3]. If the polynomial degree is o(N), this would be the second example of a 
Boolean function with a gap between the polynomial degree and quantum query complexity, with 
the first example being the iterated functions in [4].) We show 

Theorem 3 Any polynomial approximating g has degree £l(N 2 / 3 ). 
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Proof: Consider the element distinctness problem for M = N . An instance of this problem, 
/ £ J~(N, N) can be described by iV 2 variables yu, . . . , unn (as shown in Section 2.2). 

The values of the function, /(l), /(2), . . ., f(N), are all distinct if and only if, for each j £ [iV], 
there exists z £ [iV] with f(i) = j. This, in turn, is equivalent to saying that, for each i £ [N], one 
of the variables yu,y2i, ■ ■ ■ , VNi is equal to 1. 

Assume we have a polynomial P(x±, . . . , Xjv 2 ) °f degree d approximating the two level AND-OR 
tree function g. Consider the polynomial Q(yu, ■ ■ ■ ,2/tvat) obtained from P by replacing x^_^ N+ j 
with yji. If the N values f(i) are all distinct, then, for each j £ {1, . . . , N}, there exists i such that 
f(i) = j. Therefore, one of the variables yij, ... ,yNj is 1 and the OR of those variables is also 1. 
This means that the AND-OR function g(x±, . . . ,x^2) is equal to 1. If the values f(i) are not all 
distinct, then there exists j £ [N] such that there is no i with f(i) = j. Then, yu,y2i, ■ ■ ■ ,ym are 
all 0, implying that g(x\, . . . ,x N 2) = for the corresponding assignment x\, . . ., x N 2. 

This means that Q approximates the element distinctness property, in the sense of section 2.2. 
Since degree Q(N 2 / 3 ) is required to approximate element distinctness, d = Q(N 2 ^ 3 ). □ 

4 Conclusion 

We have shown that, for any symmetric property of functions / : [N] — > [M], its polynomial degree 
is the same for all M > N. Thus, if we prove a lower bound for the degree for some large M, this 
immediately implies the same bound for M = N. Since the polynomial degree is a lower bound for 
quantum query complexity, this can be used to show quantum lower bounds. As particular cases of 
our result, we get that the collision problem has degree ^(N 1 / 3 ) and that the element distinctness 
problem has degree Q(N 2 ^ 3 ), even if M = N. This implies Vt(N 1 / 3 ) and Q,{N 2 / 3 ) quantum lower 
bounds on these problems for M = N . 

A part of our result is a new representation for polynomials describing properties of functions 
/ : [N] —>■ [M]. This new description might be useful for proving new quantum lower bounds. We 
conclude with two open problems. 

1. Modified element distinctness problem. Say we are given / : [N] — > [N] and we are 

promised that either / is one-to-one or there are i,j,k such that f(i) = f(j) = f(k). We 
would like to know which of these two is the case. What is the quantum query complexity of 
this problem? 

The problem is quite similar to element distinctness in which we have to distinguish one- 
to-one function from one having f(i) = f(j) for some i,j with i / j. The known 0{N 2 / 3 ) 
quantum algorithm still applies, but the f2(iV 2 / 3 ) quantum lower bound of [2] (by a reduction 
from the collision problem) breaks down. The best lower bound that we can prove is Q,{N 1 / 2 ) 
by a reduction from Grover's search. Improving this bound to Q(iV 2 / 3 ) is an open problem. 

This problem is also similar to element distinctness if we look at it in our new z±, . . . , zu 
representation. For element distinctness, a polynomial Q must satisfy Q(l, . . . , 1) £ [1 — e, 1] 
and Q(zi, . . . , zn) £ [0, e] if Z\ + • • • + zn = N and Z{ > 2 for some i. For our new problem, 
we must have Q(l, ■ • • , 1) £ [1 — e, 1] and Q(z±, ■ ■ ■ , zjv) £ [0, e] if z\ + • • • + zn = N and Zi > 3 
for some i. In the first case, degree £l(N 2 / 3 ) is needed [2]. In the second case, no such lower 
bound is known. 

2. Polynomial degree vs. quantum query complexity for symmetric properties. Let 

<p be a symmetric property of functions / : [N] — > [M]. Let deg(0) be the minimum degree 
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of a polynomial that e- approximates / and Q2{4>) be the minimum number of queries in 
a quantum query algorithm computing (ft with error at most e. Is it true that these two 
quantities are polynomially related: Q2(<ft) = 0(deg c ((ft)) for some constant c? 

This open problem was first proposed by Aaronson [1, 2], regarding properties which are only 
symmetric with respect to permuting inputs to /: (ft(f) = <ft(fir) for any ir £ Sn- It remains 
open both in this case and in the case of properties having the more general symmetry 
considered in this paper (</>(/) = (ft(afir), for all ir £ Sn and a £ Sm)- It is known that 
Q 2 ((ft) = 0(deg 2 ((ft)) if M = 2. 
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